US government pushes companies to address cyberthreats

As cyberattacks grow in frequency and damage, the Obama administration is pushing companies to move faster to address the fastest-growing threat in the 21st century.

"The administration is looking at all possible means to encourage the private sector to enhance its cybersecurity," said Ronald D. Lee, a Washington-based national security and government contracts attorney.

Even though new laws and regulations are in place, the hope is that private companies can help take the lead, as even President Barack Obama recently acknowledged that the government cannot address the threat alone.

New legislation—part of this year's National Defense Authorization Act signed by Obama in December—requires more defense contractors to quickly disclose when they are breached.

The new rules, which specifically impacts contractors who support transportation and logistics for the Defense Department, also require companies to give the government limited access to networks and equipment impacted by a breach.

For now, the new rules are limited to specific defense contractors, but it may not be long before the government implements more regulations on all federal contractors as it pushes for companies to adopt higher security standards, cybersecurity experts said.

"They are looking at all their different means and one of them is the government-procurement lever. And it's a very large one," said Lee.

More regulation for contractors

The new law specifically affects a group of contractors newly classified as "operationally critical contractors."

These include contractors who are a "critical source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation," according to the act.

While the DOD has not yet specified which contractors constitute as "operationally critical contractor," it's likely commercial airlines, rail and motor carriers will all be included, said Washington-based attorney Mary E. Bosco of Holland & Knight.

The federal government is heavily dependent on contractors to move military personnel and equipment around the world, so it wants the systems handling information about these transports safe from hackers, she said.

"If you could hack into the airline's commercial carrier systems, you would learn a lot about where U.S. troops and supplies are getting deployed," Bosco said.

The new reporting requirements come after a year-long Senate investigation ending in May 2013 that found defense contractors who transported troops and supplies were the target of numerous cyberattacks.

Contractors who worked for the U.S. Transportation Command (TRANSCOM) were breached about 50 times during a 12-month period, according to the report. And 20 of those attacks were labeled as "advanced persistent threats," which are sophisticated intrusions that typically stem from another government.

Some government contractors who handle sensitive information are already required to report cyberbreaches, but there's still no uniform requirement for all companies doing business with the federal government, Bosco said. That's quickly changing.

"Soon, pretty much everyone will be covered. The degree of coverage may vary, depending on the size and sophistication of the work it does with the government," Bosco said. "Now, a number within DOD would have a requirement and by the end of the year you are going to see a reporting requirement imposed on most of them."

While the new regulations were aimed at addressing these concerns within the Defense Department, they were also aimed at strengthening the administration's grander plan, which is to push all U.S. companies to adopt higher security standards.

"This is both a response to everything you are seeing in the world, this DOD regulation, but also an effort by not just the DOD, but by the administration to drive companies in the private sector generally towards greater cybersecurity and more disclosure with the government," Lee said.

Cyber rules for the private sector

And soon, government contractors may not be the only ones getting hit with regulations.

While Congress has struggled to pass any comprehensive cyber legislation impacting the private sector as a whole, the growing number of massive hacks against companies like Anthem and Sony will likely spur them to continue regulation efforts.

"The big hangup the last time was there was a lot of angst in Congress about making mandatory standards. But the Sony hack and other things made Congress probably more likely to act," Bosco said.

However, instead of requiring the same reporting standards for companies, Congress will likely focus on creating systems that make it easier for businesses to share information about threats, she said.

Last Friday, Obama signed an executive order that calls for more cooperation between the government and companies in the fight against cyberthreats.

"This has to be a shared mission. So much of our computer networks and critical infrastructure are in the private sector, which means that government cannot do this alone," Obama said during his speech at the White House Summit on Cybersecurity and Consumer Protection Summit.

While specifications in Obama's order are not mandatory, companies will want to abide by them because it is the standard they will be measured by in the case of a cyberattack, Bosco said.